Twitter Account Intrusions Highlight Password Recovery Weaknesses
As mentioned in this week’s Cyber Risk Report (CRR), a hacker, known by the handle Croll, was able to gain access to private accounts owned by employees of the Twitter micro-blogging website. The hacker successfully guessed password “secret question” recovery queries by gathering info from employee public profiles, and intercepted password reset messages after gaining access to an employee’s public e-mail account. As a result, the hacker gathered further account information, including the users’ passwords, and gained additional account access to other sites, using stolen details to access other accounts, including online financial, e-mail, and e-commerce sites. The attacker was able to steal confidential business documents from these accounts and publish the information, including Twitter employee lists, along with credit card numbers and food preferences and confidential customer data, making this information publicly available on the Internet.The emergence of social networking means that more information about us is available online than ever before, even volunteered as part of our online profiles. However, because site password recovery tools consider these very same details to be private, there exists a dangerous disconnect between what users believe to be private and the mechanisms to discern legitimate users from pretenders who are gaming the password recovery system. Relying on secret question password recovery schemes opens up an easy avenue of exploitation for hackers who know some personal details, as Croll demonstrated. The hack follows other high profile intrusions also leveraging the use of password recovery mechanisms.The compromise also brings to light potential dangers in single account sign-ons, where one password may be used for many sites. In the Twitter incident, by retrieving one password the attacker gained access to a number of web services protected by a single set of account credentials. Password reuse is a similar danger. Even if sites don’t use common accounts across different services, users will. The proliferation of user accounts and passwords across dozens of social networking, e-mail, picture sharing, e-commerce, and financial web services drive users to take shortcuts and reuse passwords for multiple sites. As a result, a single account compromise can impact a number of services owned by a single user, allowing an attacker to sweep across the Internet and gain access to multiple sites with the stolen credentials.All of these problems are well understood, but a better solution still has not been developed. However, user education may be a large part of more secure password recovery. If sites warned users to be as careful when inputting secret question answers as they should be when making passwords, users may choose better answers and protect them as they would passwords. Even so, sites would be wise to adopt password recovery methods that don’t involve the secrecy of our mother’s maiden name, favorite car, first pet, and dream house when those details are posted every day on users’ feeds. Although passwords can be weak, they aren’t by design reliant upon words in a dictionary or dates that relate to our everyday lives. Security questions should solicit complex data. An even better solution would be to simply keep sensitive business documents and operations on systems with lower exposure. The confidential Twitter documents were recovered from publicly accessible, although password-restricted, systems. While insulated, internal, private e-mail and file storage services cost more money and are less accessible, they may be a better choice for the day-to-day business operations of passing confidential data. Internal systems are by no means totally secure and fool-proof, but it takes more determination to gain access to those systems than simply guessing a user’s password recovery secret questions. Public web services are still exposed, and while the compromise of a personal online profile may be embarrassing, it isn’t damaging to the business.Secret questions and single account sign-ons are unlikely to go away anytime soon. But businesses and users can protect themselves by taking the answers to secret questions as seriously as passwords, and keeping confidential information separate from exposed web services. Whenever possible, users are advised to avoid relying upon single sign-on features, and not to reuse passwords for different sites. And we should all be more careful about the kinds of information, especially personally identifiable information, that we post on our public web profiles.